For the first time, UK intelligence agency GCHQ has admitted that it does hack into computers and devices to install malware to spy on people both in the UK and abroad. The admission was made before the UK's independent Investigatory Powers Tribunal, which is hearing complaints by human rights advocacy group Privacy International and seven internet service providers (ISPs) that GCHQ and the Foreign Office broke privacy laws to illegally hack into phones, computers and networks around the world.

Prior to the case being brought before the tribunal, GCHQ had refused to confirm or deny whether it had the capability to perform Computer and Network Exploitation (CNE), in which computers, devices and private networks are accessed without their owners' knowledge in order to steal information or monitor users' activities by surreptitiously turning on the device's camera and microphone, or by installing malware.

GCHQ admitted to spying on devices

The GCHQ confirmed that it undertook what it called "persistent operations", where an implant resided in the targeted computer or device to transmit information for an extended period of time, or "non-persistent operations" where the spying only took place during a user's internet session and the implant expired when the internet session ended.

"If CNE were carried out on my mobile you would get all the meetings I attend by turning on the microphone and access to all my chamber's files, bank details, my passwords, all my personal material and all my photos," said Ben Jaffey QC, lawyer for Privacy International and the seven ISPs, according to the Financial Times." [This is] equal to carrying a bug everywhere I go."

GCHQ and the UK government denied that GCHQ was engaged in any unlawful and indiscriminate mass-surveillance activities and says that CNE is lawful under both domestic and human rights laws. Further, GCHQ said that in the year up to September 2015, six alleged terror plots had been stopped, and that in some cases CNE might be the only way to acquire information about a terrorist suspect or a serious criminal in a foreign country.

Why was the Computer Misuse Act amended?

Edward Snowden turned whistleblower in 2013 when he leaked multiple documents revealing that the NSA and UK cousin GCHQ had been spying on the internet communications of millions of people around the world, as well as monitoring phone conversations in the US and tapping the phones of foreign politicians.

In May 2014, Privacy International teamed up with seven ISPs to sue the government, filing complaints with the IPT that the GCHQ's hacking activities were not legal under Article 8 of the European Convention on Human Rights. However, in May 2015, one day before the court case was scheduled to begin, Privacy International claimed it was told by the UK government that amendments had been made to the Computer Misuse Act in March that provided a new exception for law enforcement and GCHQ to hack without criminal liability.

Privacy International has argued that there was no public consultation or debate about the amendments and that all hacking activities performed by GCHQ up until the law change in March 2015 were still deemed illegal.